TUCoPS :: Web :: General :: bt1404.txt

ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability



----- Original Message -----
From: "G00db0y" <G00db0y@zone-h.org>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, August 13, 2003 8:03 AM
Subject: ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability


>
>
> ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
>
>
> Published: 13 august 2003
>
> Released: 13 august 2003
>
> Name: ChitChat.NET
>
> Affected Systems: 2.0
>
> Issue: Remote attackers can inject XSS script
>
> Author: G00db0y@zone-h.org
>
> Vendor: http://clickcess.com/
>
>
>
> Description
>
> ***********
>
> Zone-h Security Team has discovered a flaw in ChitChat.NET v2.0 (and older
> versions?).
> "ChitChat.NET is an ASP.NET based discussion forum designed specifically
> for SQL Server."
>
>
>
>
> Details
>
> *******
>
> It's possibile to inject XSS script in the Name box and in the Topic Title
> box.
>
> For example try this:
>
> Name: &lt;script&gt;alert(Zone-h1)&lt;/script&gt;
>
> Email address: test@test.com
>
> Topic title: &lt;script&gt;alert(Zone-h)&lt;/script&gt;
>
> Message: www.Zone-h.org
>
>
>
> Solution:
>
> *********
>
> The vendor has been contacted and a patch was produced.
>
>
> Suggestions:
>
> ************
>
> Filter the posting procedure.
>
>
> G00db0y - www.zone-h.org admin
>
> Original advisory here: http://www.zone-h.org/en/advisories/read/id=2882/
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH